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Abstract 

Lists, multisets, and sets are well-known data structures whose usefulness is widely rec- 



ognized in various areas of Computer Science. These data structures have been analyzed 
\ from an axiomatic point of view with a parametric approach in where the relevant uni- 

fication algorithms have been developed. In this paper we extend these results considering 
more general constraints including not only equality but also membership constraints as 
well as their negative counterparts. 
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Oh" 

q ' 1 Introduction 



Programming and specification languages usually allow the user to represent various forms of 
aggregates of data objects, characterized by the way elements are organized and accessed. In 
this paper we consider four different kinds of aggregates: lists, multisets, compact lists, and sets. 
The basic difference between them lies in the order and/or repetitions of their data objects. 

Importance of these forms of aggregates is widely recognized in various areas of Computer 
Science. Lists are the classical example used to introduce dynamic data structures in imperative 
programming languages. They are the fundamental data structure in functional and logic 
languages. Sets are the main data structure used in specification languages (e.g., in Z [2T]) and 
in high- level declarative programming languages |H ll2lHl)lll8| ; but also imperative programming 
languages may take advantage from the set data abstraction (e.g., SETL [221 ) - Multisets, often 
called bags in the literature, emerge as the most natural data structure in several interesting 
applications |3J El HH • A compact list is a list in which contiguous occurrences of the same 
■ element are immaterial; some possible application examples are suggested in 

H ' 

Lists, multisets, compact lists, and sets have 
^ e * s been analyzed from an axiomatic point of view 

^ ^ and studied in the context of (Constraint) Logic 

Multisets Compact lists Programming (CLP) languages EJ-see figure 

^ . ' on the left for a lattice induced by their axiom- 

^ s * s atizations. In this context, these aggregates are 

T , i u . , , conveniently represented as terms, using differ- 

ihe lattice of the four aggregates j r > & 

ent constructors. 

The theories studied deal with aggregate constructor symbols as well as with an arbitrary 
number of free constant and function symbols. focuses on equality between terms in each 
of the four theories. This amounts to solve the unification problems in the equational theories 
describing the properties of the four considered aggregates. Unification algorithms for all of 
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tDip. di Matematica, Universita di Parma. Via M. D'Azeglio 85/A, 43100 Parma (Italy). gian- 
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them are provided in NP-unification algorithms for sets and multisets are also presented 
m IUIEJ In Section Bl and PTT1 we recall the main results of 

In this paper we extend the results of to the case of more general constraints. The 
constraints we consider are conjunctions of literals based on both equality and membership 
predicate symbols. For the case of sets, the problem is studied in ^J^J. In Section 0] we 
define the notion of constraints and we identify the privileged models for the axiomatic theories 
used to describe the considered aggregates. We show that satisfiability of constraints in those 
models is equivalent to satisfiability in any model. We then define the notion of solved form for 
constraints, and we prove that solved form constraints are satisfiable over the proposed privileged 
models. In Section[3]we describe, for each kind of aggregate, the constraint rewriting procedures 
used to eliminate all atomic constraints not in solved form. We use these procedures in Sectional 
to solve the general satisfiability problem for the considered constraints. Some conclusions are 
drawn in Section Throughout the paper the word aggregate is used for denoting generically 
one of the four considered aggregates, namely lists, multisets, compact lists, and sets. 

2 Preliminary Notions 

Basic knowledge of first-order logic (e.g., El) is assumed; in this section we recall some 
notions and we fix some notations that we will use throughout the paper. 

A first-order language £ = (S, V) is defined by a signature T, — (T, II) composed by a set T 
of constant and function symbols, by a set II of predicate symbols, and by a denumerable set V 
of variables. A (first-order) theory T on a language £ is a set of closed first-order formulas of 
£ such that each closed formula of £ which can be deduced from T is in T. A (first-order) set 
of axioms Q on £ is a set of closed first-order formulas of £. A set of axioms is said to be an 
axiomatization of T if T is the smallest theory such that 0CT. Sometimes we use the term 
theory also to refer to an axiomatization of the theory. When O = {pi, ■ ■ ■ , <p n }, and A±, . . . , A n 
are the names of the formulas pi, . . . , tp n , we refer to that theory simply as: A± ■ ■ ■ A n . 

Capital letters X, Y, Z, etc. are used to represent variables, /, g, etc. to represent constant 
and function symbols, and p, q, etc. to represent predicate symbols. We also use X to denote 
a (possibly empty) sequence of variables. T(T , V) (T(T)) denotes the set of first-order terms 
(resp., ground terms) built from T and V (resp., J-). The function size : T(J-, V) — ► N returns 
the number of occurrences of constant and function symbols in a term. Given a term t, with 
FV(t) we denote the set of all variables which occur in the term t. Given a sequence of terms 
ti, . . . , t„, FV(t±, . . . , t n ) is the set 1J™ =1 FV(U). When the context is clear, we use i to denote 
a sequence tx,...,t n of terms. If tp is a first-order formula, FV(tp) denotes the set of free 
variables in p. 3p (Vy) is used to denote the existential (universal) closure of the formula tp, 
namely 3X\ ■ ■ ■ 3X n tp (VXi • • ■ VA„ tp), where {X\, . . . , X n } — FV{<p). An equational axiom is 
a formula of the form VAi • • - yx n (£ = r) where FV(£ = r) = {X\, . . . , X n }. An equational 
theory is an axiomatization whose axioms are equational axioms. 

Given a first-order theory £ — (E,V), a Yi-structure is a pair A = (A,I) where A is a 
non-empty set (the domain) and / is the interpretation function of all constant, function, and 
predicate symbols of EonA A valuation a is a function from a subset of the set of variables 
V to A. a and I determine uniquely a function a 1 from the set of first-order terms over £ to A 
and a function from the set of formulas over £ to the set {false, true}. When the S-structure 
is fixed, a 1 depends only by a. Thus, with abuse of notation, a 1 is simply written as a . Given a 
S-structure A, a valuation a is said a successful valuation of tp if cr(p) — true. This fact is also 
denoted by: A (= a 1 (ip). A formula tp is satisfiable in A if there is a valuation a : FV(tp) — ► A 
such that A |= cr(p). In this case we say that A \= 3tp. We say that A \= tp if for every valuation 
a from FV(tp) — ► A it holds that A \= o-(tp). A formula p is satisfiable in A if there is a 
valuation a : FV(p) — > A such that A \= o-(p). In this case we say that A (= 3tp. We remind 
that a formula is satisfiable in a S-structure A if and only if its existential closure is satisfiable 
in A. Two formulas G\ and C2 are equi- satisfiable in A if: C\ is satisfiable in A if and only if 
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Ci is satisfiable in A. A structure A is a model of a theory T if A \= <p for all (p in 7~. We say 
that T |= if A |= </? for all models .4 of T. 



3 The Theories 

For each aggregate considered, we assume that IT is {=, g} and T contains the constant symbol 
nil and exactly one among the binary function symbols: 

[ ■ | • ] for lists, {[ • | ■ } for multisets, 

[ • | • ] for compact lists, { • | • } for sets, 

Moreover, each signature can contain an arbitrary number of other constant and function sym- 
bols. The four function symbols above are referred as the aggregate constructors. The empty list, 
multiset, compact list, and set are all denoted by the constant symbol nil. We use simple syntac- 
tic notations for terms built using these symbols. In particular, the list [si | [s2 | ■ • ■ [s n \ t] ■■ ■]] 
will be denoted by [si, . . . , s n 1 1] or simply by [si, . . . , s„] when t is nil. The same conventions 
will be exploited also for the other aggregates. 



3.1 Lists 

The language C L ist is defined as (T, Lis t, V), where T, List = (F L ist,^), [ • | • ] and nil are in T List , 
and II = {=, G}. We recall that Thist can contain other constant and function symbols. The 
first-order theory List for lists is shown in the figure below. 
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where t[x] denotes a term t, having x as proper subterm 



The three axiom schemata (-Fi), (F2), and (F3) (called freeness axioms, or Clark's equality 
axioms — see 0) have been originally introduced by Mal'cev in [201 • Observe that (F\) holds 
for [ • I • ] as a particular case. (F3) states that there is no term which is also a subterm of itself. 
Note that (K) implies that Vx (x £ nil). 



3.2 Multisets 

The language CMSet is defined as (T,MSet, V), where Y^MSet = (^MSet, n), { • | ■ } and nil are 
in TuSet, and II = {=, g}. A theory of multisets — called MSet — can be simply obtained from 
the theory of lists shown above. The constructor [ • | • ] is replaced by the constructor \ ■ \ ■ } 
in axiom schema (K) and axiom (W). The behavior of this new symbol is regulated by the 
following equational axiom 



(E™) Mxyz \x,y\z\ = \y,x\z\ (permutativity) 



which, intuitively, states that the order of elements in a multiset is immaterial. Axiom schema 
(.Fi) does not hold for multisets, when / is {[ • | • ]}. It is replaced by axiom schemata (F 1 ™): 
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In the theory KW E™ F™ F2F3, however, we lack in a general criterion for establishing equality 
and disequality between multisets. To obtain it, the following multiset extensionality property 
is introduced: Two multisets are equal if and only if they have the same number of occurrences 
of each element, regardless of their order. The axiom proposed in |1 1 j to force this property is 
the following: 



(E?) impi: 





( {yi\vi} = {y 2 \v 2 } <-» , N 

(yi = V2 A «i = v 2 )V 
{ 3z(v 1 = {y 2 \z}Av 2 = {y 1 \z}) ) 


1 


ies (E™). Axiom schema (F™) is also introduced: 


fjrm \ w ( I xi,...,x m \x} = {yi,...,y„ \x} \ 

y -» {xi, . . . ,x m j = {yi, ■ ■ ■ ,y„J} J 





Axiom schema (F™) reinforces the acyclicity condition imposed by standard axiom schema 
(F3). As a matter of fact, X ^ {a, b, b | Xty follows from (-F3). Axiom schema states that, 

since {[a, a, 6} 7^ {[a, 6, 6}, then {[a, a, 6 | X ]} 7^ {[a, b, b | A }. This property is not a consequence 
of the the remaining part of the theory. 



3.3 Compact Lists 



The language C C List is defined as C C List = (^CList,V), where EcLisi = {^CList , II) , [ ■ | • ] and 
nil are in Tcust-, and II = {=, g}. Similarly to multisets, the theory of compact lists — called 
CList — is obtained from the theory of lists with only a few changes. The list constructor symbol 
is replaced by the binary compact list constructor [ • | • ] in (K) and (W). The behavior of this 
symbol is regulated by the equational axiom 



\/xy \x,x\y\ — \x\y\ {absorption) 



which, intuitively, states that contiguous duplicates in a compact list are immaterial. As for 
multisets, we introduce a general criterion for establishing both equality and disequality between 
compact lists. This is obtained by introducing the following axiom: 



( E k) ^yiy 2 v\v 2 



( ivi KJ = [2/2 \v 2 \ ^ \ 
(yi = 2/2 a vi = ^2) v 

(yi =y 2 Avi = \y 2 |u 2 ])V 
V (yi =2/2 A {yi =v 2 ) J 



(E%) is implied by (E%). Axiom schema (Fi) is replaced by axiom schema (Ff): 



Vxi • • • x n yi ■ ■ ■ y n 



f(x±, ...,x n ) = f(yi, ...,y„ 
-> xi = yx A • ■ ■ A x n = y n 
for any f E Tcust, f distinct from [ • | • ] 



The freeness axiom (F3) needs to be suitably modified. The introduction of (-F3) is motivated by 
the requirement of finding solutions to equality constraints over E-structures with the domain 
built based on Herbrand Universe, where each term is modeled by a finite tree. As opposed to 
lists and multisets, an equation such as X — [nil \ X\ admits a solution in these structures. 
Precisely, a solution that binds X to the term [nil|£], where t is any term. Therefore, as 
explained in [TI], axiom schema (F3) should be weakened and, thus, replaced by: 



(Fi) Wx [x^t[x]) 

unless: t is of the form [ii, . 
x £ FV(ti, . . . , t n ), and t\ — 



, t n j x \, with n > 0, 
■ — t n 
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Figure 1: Axioms for the four theories 



3.4 Sets 



The language C Se t is defined as C Se t = (£s e *,V), where T, Se t = (J^Set,^), { • | • } and nil are 
in Tset, and II = {=,£}. The last theory we consider is the simple theory of sets Set. Sets 
have both the permutativity and the absorption properties which, in the case of { • | • }, can be 
rewritten as follows: 



(e;) 


Vxyz {x,y 


z} = 


{y,x\z} 


(El) 


\/xy {x, x 


y} = 


{x\y} 



A criterion for testing equality (and disequality) between sets is ol 
equality axiom (E™) and the compact list equality axiom (E'f,): 
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According to (E^) duplicates and ordering of elements in sets are immaterial. Thus, (Ef.) implies 
the equational axioms (E*) and (E*). In ^1] it is also proved that they are equivalent when 
domains are made by terms. The theory Set also contains axioms (K), (W) with [ • | • ] replaced 
by { • | • }, and axiom schemata (F 2 ) Axiom schema (Fi) is replaced by: 



(FI) 



Vxi ■ • ■ x n yi ■ ■ ■ y n 



f(xi, ...,x n ) = f(yi, ...,y„) 
-s- Xi = yi A ■ ■ ■ A x„ = y n 
for any f £ J~set , f distinct from { • | ■ } 



The modification of axiom schema (F3) for sets, instead, simplifies the one used for compact 
lists: 



(Fi) V* 


(x^t[x\) 






unless: 


t is of the form {ti, . 


. . ,t n | x) and x € FV(ti, . 


• ■ j tn ) 



3.5 Equational theories 

As we have seen in this section, each aggregate constructor is precisely characterized by zero, 
one or 2 equational axioms. We define the four corresponding equational theories as follows: 



E^ist the empty theory for List, 

Emset consisting of the Permutativity axiom (E™) for MSet, 

EcList consisting of the Absorption axiom (E^) for CList, 

Eset consisting of both the Permutativity (EV) and Absorption (E%) axioms for Set. 



Relationships between these equational theories, E-structures, and the proposed first-order the- 
ories for aggregates are explained in the next section. Figure ^ summarizes the axiomatizations 
of the four theories. 
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4 Constraints, Privileged Models, and Solved Form 



In this section we introduce the privileged models for the four theories introduced in the previous 
section. These models are used to testing satisfiability of the particular kind of formulas we are 
concerned with, namely, constraints. We then show that the models and the theories defined 
in the previous section correspond on the class of constraints considered. Moreover, we give 
a general notion of solved form for constraints, and we prove that a solved form constraint is 
satisfiable in the corresponding privileged model. 

Definition 4.1 (Constraints) Let T be either List or MSet or CList or Set. A T-constraint 
Ct is a conjunction of atomic Lf-formulas or negation of atomic Cj -formulas of the form sirt, 
where ir G II, and s,i£ T(Tj;, V). 

Throughout the paper we will use the following terminology to refer to particular kinds of 
constraints: equality (resp., disequality) constraints are conjunctions of atomic formulas of the 
form s = t (resp., s ^ t). Membership (resp., not-membership) constraints are conjunctions of 
membership atoms (resp., membership negative literals), i.e. formulas of the kind s£( (resp., 

4.1 Privileged Models 

As discussed in Section 1331 each aggregate constructor is precisely characterized by an equa- 
tional theory, that we have named E-n st , EMSet, Eciist, and E$ e t- Using the appropriate 
equational theory we can define a privileged model for the first-order theory List, MSet, CList, 
and Set for each aggregate. Each model is obtained as a partition of the Herbrand Universe. 

Definition 4.2 Let T be List (resp., MSet, CList, or Set). A privileged S-structure for T is 
defined as follows. 

1. The domain of the Yi-structure is the quotient T{Tf) / =j of the Herbrand Universe T{Ty) 
over the smallest congruence relation =j induced by the equational theory Ej on T(J-j). 

2. The interpretation of a term t is its equivalence class w.r.t. =j, denoted by (t). 

3. = is interpreted as the identity on the domain T(J-j)/ =t- 

4- The interpretation of membership is: (t) € ® is true if and only if there is a term in @ 
of the form [ti, . . . ,t n ,t\r] (resp., {ti, ... ,t n ,t | r}, [ti, ... ,t n , t \ r J, or {t\, . . . ,t n ,t | r}) 
for some terms t\, . . . , t n , r. 

It is easy to prove that the above defined E-structures are in fact models of the corresponding 
theories. In Lemma |A.2l we prove this property for multisets. ^From now on, we will call the 
privileged S-structures above defined privileged models for List, MSet, CList, and Set. We refer 
to them as CIST , MSET , CCIST , and SET , respectively. 

Remark 4.3 When (s) is the class of a multiset (resp., a set), since the permutativity property 
holds, the requirement for © £ ® to be true can be simplified to: {[t | r]} (resp., {t \ r}) is in 
®- 

The following notion from |19j is crucial for characterizing the above privileged models. 

Definition 4.4 Given a first- order language C = (E,V), a set of first- order formulas C on C, 
a theory T on C, and a Ti-structure A, T and A correspond on the set C if, for each ip £ C, we 
have that T \= 3(p if and only if A\= 3tp. 

This property means that if ip is an element of C and ip is satisfiable in A, then it is satisfiable 
in all the models of T. We prove the correspondence property for our theories and the privileged 
models, when the class C is the class of constraints defined in Definition 14.11 We show below 
the proof of this result in the case of the model M.SET and the theory MSet. The other cases 
are similar. In the proof we use some basic results which can be found in the Appendix ^ 
(Lemmas IA.lHA.3ll . 
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Theorem 4.5 The model MSET (reap., CIST, CC1ST, SET) and the theory MSet (resp., 
List, CList, and Set) correspond on the class of MSet- (resp., List-, CList-, and Set-) constraints. 

Proof. From Lemma I A. 21 it follows that MSET is a model of MSet, namely that if C is a first-order 
formula and MSet |= C, then MSET \= C. 

On the other hand, if 3C is a formula with only existential quantifiers, then MSET \= 3C if and 
only if there exists a such that MSET \= cr{C). Assume that M \= cr(C). From Lemmas I A , 1 1 and I A .31 
we have that M \= 3C for all models M of MSet. This implies that MSet \= 3C. □ 

4.2 Solved Form 

Solved form constraints play a fundamental role in establishing satisfiability of constraints in 
the corresponding privileged model. The solved form is obtained by defining first a weaker form, 
called the pre-solved form, and then by adding to this form two further conditions. 

Definition 4.6 A constraint C = c\ A • • ■ A c„ is in pre-solved form if for i S {1, . . . , n}, Ci is 
in pre-solved form in C , i.e. in one of the following forms: 

• X = t and X does not occur elsewhere in C 

• t G X and X does not occur in t 

• X 7^ t and X does not occur in t 

• t tfL X and X does not occur in t. 

A constraint in pre-solved form is not guaranteed to be satisfiable in the corresponding 
privileged model. For example, the constraint XgYAY^X is in pre-solved form but it 
is unsatisfiable in each of the privileged models CIST , M.SET ', CCIST , and SET. The first 
condition we introduce below takes care of this situation. 

Definition 4.7 (Acyclicity Condition) Let C be a pre-solved form constraint and C e be the 
part of C containing only membership constraints. Let Q^. be the directed graph obtained as 
follows: 

Nodes. Associate a distinct node to each variable X in C e . 

Edges. IftEX is in C e , V\,...,v n are the nodes associated with the variables in t, and /i is 
the node associated with the variable X, then add the edges (ui,fi), . . . , (u n ,fj,). 

We say that a pre-solved form constraint C is acyclic if Qq is acyclic. 

The acyclicity condition is not sufficient for satisfiability. Consider the constraint {A, B} G 
X A {B, A} X. It is in pre-solved form and acyclic but unsatisfiable in all the considered 
privileged models. Conversely, the constraint {A} G X A {a} £ X is satisfiable in SET (e.g., 
A = b. X = {{&}})• We observe that whenever there are two constraints t G X and t' $ X 
in C such that t and t' are equivalent terms in the equational theory Ej, the constraint C is 
unsatisfiable. 

This analysis, however, does not cover all the possible cases in which an acyclic constraint 
in pre-solved form is unsatisfiable, as it ensues from the following example: 

ae X AX eY A{a\X} ^Y. 

Observe that there are no pairs of terms t, t 1 of the form singled out above. Nevertheless, since 
the satisfiability of a G X is equivalent in Set to that of X = {a N} (N is a new variable), we 
have that the constraint is equi-satisfiable to: 

X = {a | A^} A {a \ N} G Y A {a, a \ N} Y. 

Now, {a | N} and {a, a | N} are equivalent terms in Eg e t, and thus the constraint is unsatisfiable. 

To formally define the second condition for solved form constraints, taking into account all 
the possible cases informally described above, we introduce the following definitions. 
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Definition 4.8 Let 9 = [Xi/ti, . . . , X n /t n ] be a substitution and meM. We recursively define 
the substitution 9 m as: 

r e 1 = e 

\ e m+1 = [x 1 /e m (t 1 ), x n /e m (t n )} m > o 

If there exists m > such that 9 m+1 = Q m we say that 9 is stabilizing. Given a stabilizing 
substitution 9, the closure 9* of 9 is the substitution 9 m such that Vk > m we have that 9 k = 9 m . 

Definition 4.9 LetC be a constraint in pre- solved form over the language Lust (£-MSet, C-CList, £-Set) 
and let t\ G X%, . . . , t\ x £ X\, . . . ,ti G X q , . . . ,tq q € X q be all membership atoms of C . We 
define the member substitution ac as follows: 

o-c = [Xi/[Fi,t\, . . . ,#1 M x l . . . , X g /[F q , t\,..., t k q « | M q ]] 

(respectively, o c = [Xi/{F u t\, . . . , t^ \ M x },...], a c = [JTi/[Fi, t\, . . . , t\' \ M t \, . . .], 

ere = [X\ /{Fx , t\ , . . . ,t^ | Mi}, . . .]) where Fi and Mi are new variables not occurring in C. 

The member substitution ac forces all the terms t^s to be member of the aggregate repre- 
sented by Xi. The variable Fi in Xj is necessary in the case of compact lists. As a matter of 
fact, in every valuation a satisfying the constraint: 

yeiiA[y|ii]£i 2 AXi^i 2 

it must be cr(Xi) ^ o-(\Y \ X\\). Thus, in ac we give the possibility to the first element of 
a(X\) to be different from a{Y). We show in the Appendix 1X1 that if C is a constraint in 
pre-solved form and acyclic, then ac is stabilizing (Xemma lATf) . 

We are now ready to state the second condition for the solved form. 

Definition 4.10 (Membership Consistency Condition) Let Ej be one of the four equa- 
tional theories for aggregates. A constraint C in pre-solved form and acyclic is membership 
consistent if for each pair of literals of the form t ^ X,t' G X in C we have that: 

E T £V(a c (t) = a* c (t')). 

The definition of solved form, therefore, can be given simply as follows: 

Definition 4.11 (Solved Form) A constraint C in pre-solved form is said to be in solved 
form if it satisfies the membership consistent condition. 

Observe that the membership consistency condition implies the acyclicity condition. It is a 
semantic requirement of equivalence of two terms under a given equational theory. However, 
this test can be automatized in the following way. As well-known from unification theory (see, 
e.g., [3 ESI), given an equational theory E, knowing whether two terms are equivalent modulo 
=e is the same as verifying whether the two terms t and t' are iS-unifiable with empty m.g.u. 
(e). Thus, the test is connected with the availability of a unification algorithm for the theory 
Ej. In JT] it is proved that the four equational theories we are dealing with are finitary (i.e., 
they admit a finite set of mgu's that covers all possible unifiers) and, moreover, the unification 
algorithms for the four theories are presented. This give us a decision procedure for the above 
test. 

As an example, let C be the pre-solved form and acyclic Sei-constraint: a <E Y AY £ X AX £ 
Z A {{a | Y} | X} £ Z. It holds that: 

a c = [Y/{F Y ,a\M Y },X/{F x ,Y\M x },Z/{F z ,X\M z }}, 
a* c = [Y/{F Yl a\M Y },X/{F x ,{F Y ,a\M Y }\M x } 1 
Z/{F Z , {F x , {F Y , a | M Y } \ M x } \ M z }} 
a* c {X) = {F x ,{F Y ,a\M Y }\M x } 
a* c ({{a\Y}\X}) = {{a,F Y ,a\M Y },F x ,{F Y ,a\M Y }\M x } 

The constraint is not in solved form since Es e t \= V(<r^(X) = a c ({{a \ Y} | X})). 

We prove now that solved form constraints are satisfiable in the corresponding privileged 
models. We prove the property for 5ei-constraints. The proof is similar for the other cases. 
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Theorem 4.12 (Satisfiability of the Solved Form) Let C be a constraint in solved form 
over the language Cset (reap., Chist, £>MSet, CcList)- Then SET \= 3C (resp., CTST , M.SET , 
and CCIST ). 

Proof. We split C into the four parts: C = , C e , , and C^, containing =, €, ^, and 7^ literals, 
respectively. For all pairs of literals p G V, r £ V in C let NEQ pr be an auxiliary variable, that will be 
used as a 'constraint store', initialized to the empty set 0. We will use the two auxiliary functions rank 
and find. The rank of a well-founded set is basically the maximum nesting of braces needed to write 
it. Precisely: 



rank(s) — 



if s is not of the form {u | v} 

max{l + rank(u), rank(v)} if s is {u v} 



find(X, i) is a function that produces for each pair (X, t) a set of integer numbers indicating the 'depth' 
of the occurrences of the variable X in t. It can be defined as: 



find(X,t) 



if £ is a constant term 

{0} if t is a variable X 

{1 + n : n G find(X,y)} if t is {y \ f(ti, . . . ,t m )}, f is not { 

{1 + n : n G find(X,t 1 ) U ■ ■ • U find(X, t m )} if t is f(tx, . . .,t m ), / is not { ■ | ■ } 

{1 + n : n G find(X, y)} U find(X, s) if t is {y \ s}, s 7^ nil 



We build a successful valuation 7 of C, in various steps. 

C = is of the form X\ = t\ A ••• A X m — t m . We define the mapping: 81 = [Xi/tx, . . . ,Xm/t m ] 
C e is of the form p\ £ Vi A • • • A Pi 1 £ Vi A ■ ■ ■ A p" q q £ V q . Consider the member substitution 

°c = [Vi/iF^pl, . . . ,pf- I Mi}, . . . , V q /{F q ,pl, ...,p q q \ M q }]. 



Since, by hypothesis, C is acyclic, then oc can be computed (see Lemma lA. A\ . 
For each pair of literals p£V,r£V of C consider the equality constraints in solved form 
Di, . . . , Dk that are the solutions to the unification problem crj(p) = o-J(r) (since C is in solved 
form they are all different from the empty substitution). By the results concerning unification 
(cf. we have that 

k 

2=1 

where N are new variables, and each Dj is a conjunction of equations which contains at least 
one atom of the form A = {01, . ..,a h \B} with A £ FV{cj* c {p)) U FV(o* c (r)) and FV(ai) C 
FV{a* c {p)) U FV((Tc(r)), or one atom of the form A = B with A, B G FV{a* c (p)) U FV{a* c (r)). 
Since we want to satisfy crc( r ) £ a h(V) we are interested in satisfying crj(r) 7^ (Tq(p), which is 
in turn equivalent to: 

k 

/\(ViV^). 

J=l 

For doing that, for each Dj we choose an atom of the form A — {a\, . . . , ah | B} ox A = B and we 
store it in the variable NEQ pr . Points (5) and (6) below will take care of this constraint store. 

is of the form n $5 Yi A • • • A r n ^ Y n (Yi does not occur in rt) and is of the form Z\ 7^ 
si A ■ ■ ■ A Z ^ s (Zi does not occur in Si). Let Wi, . . . , Wh be the variables occurring in C other 
than Xx, ■ ■ ■ , X m , Vx,...,V q ,Yx,...,Y n ,Zx,...,Z . 
Let s = max{rank(t) : t occurs in <jJ(#i(C))} + 1 + h. 

Let Rx, . . . , Rj be the variables occurring in a"J(^i(C^ A C^)) (actually, the variables F, M, and 
some of the Y and Z) and n\, . . . ,nj be auxiliary variables ranging over N. 
We build an integer disequation system S in the following way: 

1. S = {m > s : Vi € {1, . . . , j}} U {n il m 2 : Vii,i 2 G {1, . . . , j}, ii / 12}- 

2. For each literal Ri x 7^ t in <t£(C^) 

S = SU {n^ / n i2 + c : Vi 2 / H,Vc G find(R i2 ,t)} 
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3. For each literal {Ri^p), . . . ,p v / | R h } ± t in aJ(C^) 

S = Sl> {n it =£ n i2 +c - 1 : Vi 2 ± ii.Vc £ find(R i2 ,t)} 

4. For each literal t ^ i?^ in ctJ(C^) 

S = SU {n ix / n l2 + c+ 1 : Vi 2 / ii.Vc G find(R i2 ,t)} 

5. For each literal i ^ . . . ,p^ J l-R^}, for each A: < uj, for all _R i2 = {ai, . . . , an \ B} in 

S = S U {n i2 / n i3 + c + 1 : Vi3 / i 2 , Vc G find(Ri 3 ,ai)} 

6. For each literal £ ^ . . . ,p v ^ | i?^}, for each fc < vj, for all i?i 2 = Ri 3 in NEQ p k t 

S = 5U{n 12 / n 13 } 

7. For each literal t g {R il ,p), . . . ,p v / \ Rh}, 

S = SU{n il =jtn i2 + c:Vi 2 /«i,VcG find(R l2 ,t)} 

8. For each literal £ £ {i4,£>], . . . ,p| J ' | i?^ }, 

S = SU{n n n l2 + c+ 1 : Vi 2 / ii,Vc G find(R i2 ,t)} 

An integer disequation is safe if, after expression evaluation, it is not of the form a / a. A safe 
disequation has always an infinite number of solutions. A finite set of safe disequations has always an 
infinite number of solutions. We show that all disequations of S are safe. The disequations generated 
at point (1) are safe by definition; those introduced in points (2), (4), (5), (6), (7), and (8) are safe since 
c is always a positive number. We prove that the disequations generated at point (3) are safe. If in 
C there was a situation of the form p\ G Y A ... A p m G Y A Y 7^ t from which we have obtained 
{Fy , 0c(Pi); • • • 1 a c(Pm) I My} =fc c?c{t), then we had, from the definition of solved form, that Y does 
not occur in t, hence Fy does not occur at depth 1 in (Tc(t), hence we do not obtain a disequation of 
the form uf y 7^ n F Y + I — I. 

From the safeness property, it is possible to find an integer solution to the system S by choosing 
arbitrarily large values satisfying the constraints. Let {ni = ni , . . . , rij = fij } be a solution and define 

2 = [Jfc/{nil} n< :Vi€{l,...,j}]. 
where {nil}" denotes the term {■ ■ ■ {nil} ■ ■ •} (similarly for the other theories employed). 

n 

Let 7 = 9iaQ02 (where s\iv stands for (sfi)v) and observe that C7 is a conjunction of ground 
literals. We show that KE^Ff F2F^ \= C-y. We analyze each literal of C. 

X — t : 9i(X) coincides syntactically with 6i(t) = t. Hence, a literal of this form is true in any model 
of equality. 

t G X : # 2 (<tJ(X)) ={..., 02((Tc(t))i ■ ■ •}) so the atom is satisfied. 
Z / u : two cases are possible: 

1. if there are no atoms of the form t G Z in C, then the conditions in S and over s ensure 
that rank( , y(Z)) 7^ ranfc(7(u)); 

2. if there is at least one atom of the form t G Z in C, then ijq(Z) — {F, t\, . . . , tk | M }, the 
conditions in S and over s ensure that rank{-y{F)) 7^ rank{^{u)) — 1, hence 7(F) is not an 
element of 7(11). 

r £ Y : two cases are possible: 

1. no atoms of the form t £ F occur in C: if r is ground, then it can not be an element of Y 
since 7(F) = {nil} 1 , with i > s; if r is not ground, then the conditions in S ensure that 
rank(-y(Y)) 7^ rank{-y{r)) + 1; 

2. at least one atom of the form t G Y occurs in C, hence crJ(F) = {F, ti, .. .,tk\ M}\ if 
r is ground the result is trivial; if r is not ground then the conditions in S ensure that 
rank{^{tj)) rank(-y(r)) for all j < k, rank (7 (F)) =fc rank(-y(r)), and rank(-y(M)) / 
ranfc(7(r)) + 1. 
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□ 

Remark 4.13 The task of testing whether a pre-solved form constraint C is in solved form 
could be avoided in the cases of multisets and sets, where all membership atoms can be removed. 
As a matter of fact, in the privileged models considered for sets and multisets it holds that: 

set^> 3N(t = {s | N}). 

We can therefore replace each membership atom s e i with an equi-satisfiable equality atom 
t = {s | N} with N a new variable. This implies that the additional conditions on the pre-solved 
form are not required at all, since membership atoms can be removed. 



5 Constraint Rewriting Procedures 

In this section we describe the procedures that can be used to rewrite a given constraint C 
into a equi-satisfiable disjunction of constraints in pre-solved form. All the procedures have the 
same overall structure shown in Figure[5] they take a constraint C as their input and repeatedly 
select an conjunct c in C not in pre-solved form (if any) and apply one of the rewriting rules 
to it. The procedure stops when the constraint C is in pre-solved or false is a conjunct of the 
constraint. The procedure is non-deterministic. Some rewriting rules have two or more possible 
non-deterministic choices. Each non deterministic computation returns a constraint of the form 
above. However there is globally a finite set Ci, . . . ,Ck of constraints non-deterministically 
returned. The input constraint C and the disjunction C\ V • • • V Cfe are equi-satisfiable. 

Let T be one of the theories List, MSet, CList, Set, n a symbol in {=,7^,6,^}, and C a T-constraint 

while C contains an atomic constraint c of the form l-nr not in pre-solved form and c 7^ false do 
select c; 

if c = false then return false 
else if c = true then erase c 

else apply to c any rewriting rule for T-constraints of the form -tv-; 
return C 



Figure 2: Main loop of constraint rewriting procedures 



5.1 Equality Constraints 

Unification algorithms for verifying the satisfiability and producing the solutions of equality con- 
straints in the four aggregate's theories have been proposed in |11| . The unification algorithms 
proposed in jll| fall in the general schema of Figure [21 Some determinism in the statement 
select c is added to ensure termination. They are called: 

UnifyJists for lists Unify_msets (Unify_bags in for multisets 

Unify_clists for compact lists Unify_sets for sets 

and they are used unaltered in the four global constraint solvers that we propose in this paper. 

The output of the algorithms is either false, when the constraint is unsatisfiable, or a 
collection of solved form constraints fDef. I4.ll|) composed only by equality atoms. In Figure 
we have reported the rewriting rules for the multisets unification used in algorithm Unify_msets. 

The algorithm uses the auxiliary functions tail and untail defined as follows: 

tail(/(ti,...,tn)) = /(*!,...,*„) /is not {•!•}, n>0 

ta\\(X) = X X is a variable 

tail({t|«}) = tail(,s) 

untail(X) = nil X is a variable 

untail({i|s}) = {t \ untail(s) } 
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Rules for Unifyjnsets 


(1) 


X = X 


i — ► true 




t = X ] 
t is not a variable 


■ i — ► X = t 


(3) 


I = ( 1 

X does not occur in t, X occurs in C J 

X = t and apply the substitution X/t to C 


(4) 


X = t 

X is not i and X occurs in t 


i — * false 


\p) 


f(si, ...,s m ) = g(ti, . . .,*„) 

/ is not g J 


i — ► false 


(6) 


/(Si, . . . ,S m ) = /(ti, . . . ,t m ) 

m > 0, / is not I ■ | • } J 

si = ti A 


... A S m — t m 


(7) 


flt|aJ = {t'|s'J 1 
tail(s) and tail(s') are not the same variable 

(i) (t = t' A s = s') N 
(«) (s = it'|iV}A 


/ 

lt\N} = s') 


(8) 


flt| S J = ^'| S 'J 1 
tail(s) and tail(s') are the same variable 
untail({[t|s}) = u 


\ - 

ntail(^'| S ']}) 



Figure 3: Rewriting rules for the Unification algorithm for multisets 



5.2 Membership and not-Membership Constraints 

The rewriting rules for membership and not-membership constraints are justified by axioms (K) 
and (W) that hold in all the four theories. Therefore, in Figure 0] we give a single definition of 
these rules. They are used within the main loop in Figure El to define the rewriting procedures 
for membership and not-membership constraints over the considered aggregate. When useful, 
we will refer to these procedures with the generic names in-T and nin-T, where T is any of the 
aggregate theories. 



Let consT( ■ , • ) be the aggregate constructor for the theory T 



Rules for in-T 


(1) 


r € /(ti,...,t n ) 1 
/ is not consi-( ■ , • ) 


> h- > false 


(2) 


r 6 cons^t, s) 


■ i ► r = tV (a) 
res (b) 


(3) 


r e x 1 
X e FV{r) 


> t—> false 



Rules for nin-T 


(1) 


rg/(ti,...,t») 


> >—> true 


/ is not consi( ■ , ■ ) 


(2) 


r (fi consT(£, s) 


i— > r =fc t A r $ s 


(3) 


riX 1 
X e FV(r) J 


> t—t true 



Figure 4: Parametric rewriting rules for membership and not-membership constraints 



Lemma 5.1 Let T be one of the theories List, MSet, CList, Set, and At the privileged model 
for the theory T. Let C be a T- constraint, Ci,...,C& be the constraints non-deterministically 

returned by nin-T(in-T(C))) ; and N t = FV{d) \ FV(C). Then A r \= V (c <->• V*=i . 
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Proof. We prove correctness and completeness for lists, thus with respect to the model CIST. 
Soundness and completeness for the other aggregates are proved in the very same way. Soundness and 
completeness is proved for each rewriting rule separately since the rules are mutually exclusive. When 
possible, we simply point out the axioms of the corresponding theory List involved in the proof (note 
that CIST is a model of those axioms): 

in-List, rule (1). r £ f(ti, . . ■ ,t n ), with / different from [■ | ■] is equivalent to true by axiom (K). 
in-List, rule (2). This is exactly axiom (W). 

in-List, rule (3). Assume that there is a valuation a such that CIST \= a(r 6 A). This means that 
<t(X) contains a term of the form: [si, . . . , s„, r' \ t] for some terms si, . . . , s n , £, and some term 
r' in cr(r). Axiom (F3) ensures that X can not be a subterm of r. 

nin-List, rules (1), (2), (3). Same proofs as for the corresponding in-List rules, using the same axioms. 

□ 

In the above lemma it holds that the lists of variables Ni are all empty. However, for the 
sake of uniformity with respect to the other similar correctness results, we have made them 
explicit. Let us observe that the rewriting rules for procedure in-MSet and in-Set could safely 
be extended by the rule: 



(4) 



r e X 
X <£ FV{r) 



X 



[r\N} (A = {r|A}) 



where N is a new variable (see also Remark 14 .1311 . In this way, we are sure to completely remove 
membership atoms from the constraints and that the pre-solved form constraints obtained are 
in solved form. 



5.3 Disequality constraints 

Rewriting rules for disequality constraints consist of a part which is the same for the four theories 
(although parametric with respect to the considered theory), and a part which is specific for 
each one of the four theories. Rules of the common part are shown in Figure El while specific 
rules are described in the next subsections. 



Let consi( ■ , • ) be the aggregate constructor for the theory T 



Rules for neq-T 


(1) 


d^d ) 
d is a constant 


f — > false 


(2) 


f(S!,. . . ,S m ) / g(tl, . . . ,tn) 

/ is not g J 


1 — ► true 


(3) 


t + x ] 

t is not a variable 


- ^ X^t 


(4) 


X + X 
A is a variable 


1— > false 


(5) 


/(«!,... ,fl„) ^ /(*!,...,*„) 

n > 0, / is not consT ( • , • ) 


• H-> Sl^tlV (1) 

s n t n (n) 



Figure 5: General rewriting rules for disequality constraints 



5.3.1 Lists 

Specific rules for the theory List are presented in Figure |H| These rules are inserted in the 
general schema of Figure [21 to generate the procedure neq-List. 
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Rules for neq-List 


(l)-(5) 


see Figu re |5| 


(6) 


[si | s 2 ] ^ [ii 1 t 2 ] } i-» si # iiV (i) 

S2 # t 2 (ii) 


(7) 


Jilt'-'H \ « true 
X e FV(tl,...,t n ) J 



Figure 6: Rewriting rules for disequality constraints over lists 



Lemma 5.2 Let C be a List- constraint, C±, . . . ,Ck be the constraints non-deterministically 
returned by neq-List(C), and N t = FV(d) \ FV(C). Then List \= V (c <-> Vi=i 3A^C 4 ) . 

Proof. Soundness and completeness of the rewriting rules (and, hence, of the whole rewriting procedure 
neq-List) are immediate consequence of standard equality axioms and axiom schemata (Fi), (F2), and 
(F 3 ). a 

5.3.2 Multisets 

Disequality constraints over multisets are simplified using the rewriting rules presented in Fig- 
ure [7| They make use of functions tail and untail defined in Section I5TT1 Using these rules 
within the generic rewriting scheme of Figure [21 we get the rewriting procedure for disequality 
constraints over multisets, called neq-MSet. 



Rules for neq-MSet 


(l)-(5) 


see Figure|5| 


(6.1) 


tail(si) and tail(s2) 
are the same variable 


> 1 ► untai[(|ti \si}) / untail({t 2 \s 2 }) 


(6.2) 


lt 1 \s 1 }^{t 2 \ S2 } ■ 
tail(si) and tail(s2) 
are not the same variable 


> i-f (ti ^ t 2 A ti £ s 2 )V (a) 
({t2\s 2 } = {t 1 \N}As 1 ?N) (b) 


(7) 


X^f(t!,...,t n ) 
x e FV(tl,...,tn) 


> \—> true 



Figure 7: Rewriting rules for disequality constraints over multisets 



Some words are needed for explaining the rules related to the management of disequalities 
between multisets; in particular rule (6.2) of Figurc[7| If we use directly axiom (E™), we have 
that: 

{*i|si}^{[£2|s2} «-> (h + *2 V Si ^ S 2 )A 

^N(s 2 ^{t 2 \N}y Sl ^{t 1 \N}) 

This way, an universal quantification is introduced: this is no longer a constraint according to 
Definition 14.11 

Alternatively, we could use the intuitive notion of multi-membership: x E* y if x belongs at 
least i times to the multiset y. This way, one can provide an alternative version of equality and 
disequality between multisets. In particular, we have: 

lh\ Sl }^lt 2 \s 2 } ~ 3X3n(neNA 

(X e n lh\ Sl }AX f l {t 2 \s 2 })V 

(x e n tt 2 \s 2 } AX <f n lh\siHh\s 2 })) 

In this case, however, we have a quantification on natural numbers: we are outside the language 
we are studying. The rewriting rule (6.2) adopted in Figure[7|avoids these difficulties introducing 
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only existential quantification. Its correctness and completeness are proved in the following 
lemma. 



Lemma 5.3 Let C be a MS et- constraint, Ci,...,Cfc be the constraints non-deterministically 
returned by neq-MSet(C), and N, = FV(Ci) \ FV(C). Then MS£T |= V (c <-> Vi=i 3 ^i C i) ■ 

Proof. From Lemma 15.21 we know that the result holds for rules (l)-(5) and (7) for the model CIST . 
Since permutativity has not been used for that result, and axiom (F3) holds for both the theories, the 
same holds for the model MSST. We need to prove correctness and completeness of rewriting rules 
(6.1) and (6.2). 

(6.1) It is immediately justified by axiom schema (F3 1 ). 

(6.2) The constraint -Jti | si ]} 7^ §t 2 | s 2 ]} is equivalent to: 

M{*2|*ajAlti|«iJ?M*2|«»J V (1) 
t 1 e{t 2 \s 2 }A{t 1 \s 1 }^{t 2 \s 2 } (2) 

Since we are looking for successful valuations over MSET that deal with multisets of finite 
elements, axiom (E™) ensures that t\ ^ {[ £2 | s 2 ]} implies -fti | «i J 7^ \t 2 \ s 2 \. Thus, formula 
Q is equivalent to ti G \ t 2 \ s 2 ]} which, in turn, is equivalent by (W) to the disjunct (o) of the 
rewriting rule. 

Consider now formula @. It is easy to see that 

MSST \= V(ti G {I t 2 1 s 2 } «-» 3M ({[ h I M } = {t 2 \s 2 })) (3) 

Thus, @ is equivalent to 

3M({t 1 \M}^{t 2 \s 2 }A{t 1 \s 1 }^{t 2 \s 2 }) (4) 

It remains to prove that is equivalent to the disjunct (6), namely: 

3N(s 1 ^NA{t 2 \s 2 } = it 1 \N}) (5) 

@ — > @ Assume there is M so as to satisfy @. M = si will immediately lead to a contradiction. 
Thus, © is satisfied by N = M. 

@ — > |QJ Assume there is AT so as to satisfy 10. It follows immediately from the fact, true for 
finite multisets, that si / TV implies {ti \ si J / | N}. Thus, choose M — N. 

□ 



5.3.3 Compact Lists 

The rewriting rules for disequality constraints over compact lists are shown in Figure |S] These 
rules can be immediately exploited in conjunction with the generic scheme of Figure|2lto obtain 
a rewriting procedure for disequality constraints over multisets-called neq-CList. Soundness and 
completeness of neq-CList are stated by the following lemma. 

Lemma 5.4 Let C be a CList- constraint, C±, . . . ,Ck be the constraints non-deterministically 
returned by neq-CList(C), and N, = FV{d) \ FV(C). Then CCTST hv(c« \/i=i . 

Proof. For rules (l)-(5) the result follows immediately from those for lists. Rules (7.1)-(7.3) follows 
from axiom (-F3). Rule (6) is exactly axiom {El). □ 

Observe that, differently from multisets, the rewriting rule for disequality between compact 
lists follows immediately from axiom (E%,). As a matter of fact, this axiom does not introduce 
any new variable. 
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Rules for neq-CList 


(l)-(5) 


see Figure|5| 


(6) 


lti\ Sl j^lh\s 2 ] } ~ 

ti ± t 2 V (a) 
Si =£s 2 A [ti |si] ^ S2 Asi ^ [t 2 |s 2 ] (6) 


(7.1) 


X# /(*!,...,*„) 

X6FF(ti,...,* n ),/isnot J 


i — > true 


(7.2) 


X^[ti,...,t n |X] 
X€JV(ti,...,t„) J 


i— » true 


(7.3) 


X?&[ti,...,tn|Jf] 

x^Fy(ti,...,t n ) j 


■ i > t x ±t 2 \l (o.l) 

/ tnV (a.n) 
X = nil V (6) 
X = [iVi|Ar 2 ]AiVi7^i (c) 



Figure 8: Rewriting rules for disequality constraints over compact lists 



/?o/es for neq-Set 


(l)-(5) 


see Figure^ 


(6) 


{ti | si} / {t 2 |s 2 } } h-> 

ZG {ti|si}AZ^ {t 2 |s 2 }V (a) 
Z e{t 2 \s 2 }AZ<£{ti si} (6) 


(7-1) 


X //(ti,...,t») 
X eFV(t!,...,t n ),f is not {■]■} J 


i — > true 


(7.2) 


X^{ti,...,i„|X} 

X6FV(tl,...,*n) J 


i— » true 


(7.3) 


X^ {*!,...,*„ |X} 1 

X£FV(ii,...,i„) J 


* i * ti £ XV (i) 
tn £ X (n) 



Figure 9: Rewriting rules for disequality constraints over sets 



5.3.4 Sets 

Disequality constraints over sets are dealt with by the rewriting rules shown in Figure El and 
they constitute the procedure neq-Set. 

Some remarks are needed regarding rule (6). As for multisets, axiom (Ei) introduces an 
existentially quantified variable to state equality. Thus, its direct application for stating dise- 
quality requires universally quantified constraints that go outside the language. On the other 
hand, the rewriting rule (6.2) used for multisets can not be used in this context. In fact, the 
property that s% ^ N implies {[ti | sx ]} ^ {ii | NJ, that holds for finite multisets, does not hold 
for sets. For instance, {a} ^ {a, b} but {b, a} — {b, a, b}. Thus, this rewriting rule would be not 
correct for sets. 

A rewriting rule for disequality constraints over sets can be obtained by taking the negation 
of the standard extensionality axiom 

(Ek) x = y <-> Vz (z G x <-> z G y) 

Lemma 5.5 Let C be a Set- constraint, C\, . . . , Ck be the constraints non-deterministically re- 
turned by neq-Set(C), and N t = FV{Ci) \ FV{C). Then SET (= V (c <- V/Li ^Ci) . 
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Proof. For rules (1)— (5) the result follows from those for lists. Rules (7.1) and (7.2) are exactly axiom 
(F|). Rule (6) is axiom (E k ), implied by (E 3 k ) on SET. □ 



Remark 5.6 In our theories an aggregate can be built by starting from any ground uninterpreted 
Herbrand term — called the kernel — and then adding to this term the elements that compose the 
aggregate. Thus, two aggregates can contain the same elements but nevertheless they can be 
different because of their different kernels. For example, the two terms {a \ b} and {a \ c} denote 
two different sets containing the same elements (a) but based on different kernels (b and c, 
respectively) . 

Rewriting rules for disequality constraints over aggregates other than sets are formulated in 
such a way to take care of the (possibly different) kernels in the two aggregates without having 
to explicitly resort to kernels. Conversely, the rewriting rule for disequality constraints over sets 
(rule (6)) is not able to "force" disequality between two sets when they have the same elements 
but different kernels. This the reason why the (— *) direction of Lemma \5.5\ does not hold. 

A possible completion of the above procedures to take care of this case is presented in \14\ ; 
for doing that some technical complications are introduced. Basically, a new constraint (kei) is 
introduced and the rewriting rule (6) is endowed with a third non- deterministic case: ker(si) ^ 
ker(fi2)- The advantage of this solution is completeness (the (— >) direction of Lemma \5.5)) . 
However, for the sake of simplicity, we do not add here the details on the modifications of the 
rewriting rules for dealing with ker that are instead presented in 

6 Constraint solving 

In this section we address the problem of establishing if a constraint C is satisfiable or not in 
the corresponding privileged model. The correspondence result (Theorem l4.5|l ensures that the 
property is inherited by any model. 

Constraint satisfiability for the theory T is checked by the non-deterministic rewriting pro- 
cedure SATt shown in Figure ITU1 Its definition is completely parametric with respect to the 
theory involved. SATt uses iteratively the various rewriting procedures presented in the previ- 
ous section, until a fixed-point is reached — i.e., any new rewritings do not further simplify the 
constraint. This happens exactly when the constraint is in pre-solved form or it is false. The 
two conditions that guarantee that a constraint in pre-solved form is in solved form are tested 
by function is_solvedT shown in Figure ITT1 

By Theorem 14.121 a constraint in solved form is guaranteed to be satisfiable in the corre- 
sponding model. Moreover, it will be proved (see Theorem 16. 2fl that the disjunction of solved 
form constraints returned by SATt is equi-satisfiable in that model to the original constraint 
C. Therefore, SATt can be used as a test procedure to check satisfiability of C: if it is able 
to reduce C to at least one solved form constraint C then C is satisfiable; otherwise, C is 
unsatisfiable. Moreover, the generated constraint in solved form can be immediately exploited 
to compute all possible solutions for C . 



function SATt(C) 
repeat 

C := C; 

C := Unify_Ts(neq-T(nin-T(in-T(C)))) 
until C = C; 
return( is_solved T (C)). 



Figure 10: The satisfiability procedure, parametric with respect to T 

The rest of this section is devoted to prove the crucial result of termination for procedure 
SATt(C) and, then, to prove its soundness and completeness. 
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function is_solvedT(C) 

build the directed graph Q c ; 
if has a cycle 

then return false 

else 

compute (To 

if there is a pair t e X,t' X \n C s.t. T |= V(aJ(t) = o* c {t')) 
then return false 
else return C. 



Figure 11: Final check for solved form constraints 



Theorem 6.1 (Termination) Let T be one of the theories List, MSet, CList, Set, and C be 
a T-constraint. Each non- deterministic execution of SATt(C) terminates in a finite number of 
steps. Moreover, the constraint returned is either false or a solved form constraint. 

Proof. We give the proof for the case of MSet. The other proofs are in Appendix ITU 

It is immediate to see, by the definition of the procedures, that if C is different from false and not in 
pre-solved form, then some rewriting rule can be applied. The function is_solvedMSei, whose termination 
follows from termination of Unifyjnsets |11| . needed for the solved form test T |= V(crJ(t) = cr c (t')), 
produces by definition solved form constraints or false. 

We prove that the repeat cycle can not loop forever. For doing that, we define a complexity measure 
for constraints. Let us assume that constraints of the form X = t, with X neither in t nor elsewhere in 
C, are removed from C. Similarly, we assume that true constraints are not counted in the complexity 
measure. These two assumptions are safe since those constraints do not fire any new rule application. 
The complexity measure that we associate with a constraint is the following triple: 

compl(C) — { a(C) — # vars in C , 

(5(C) = {size(s) + size(t) : s opt G C}, 
7(C) = T,so P tec szze ( s ) > 

The first and third element of the tuple are non-negative integers. The second is a multiset of 
non-negative integers. They are well-ordered 9 by the ordering obtained as the transitive closure of 
the rule: 

{si,...,Si-i,tl,...,t n , s i+ i, . ..,s m } -< {si,.-. ,»mj, 

for i £ {1, . . . , m}, n > 0, t\ < Si, . . . ,t n < si. The ordering on triples is the (well-founded) lexico- 
graphical ordering. 

We will prove that given a constraint C , in a finite number of non-failing successive rule applications, 
a constraint C" with lower complexity is reached. We show, by case analysis, this property. Most rule 
applications decreases the complexity in one step. When this does not happen, we enter in more detail. 

Unify_msets(l) a does not increase, f3 decreases. 

Unify_msets(2) a and /3 do not increase. 7 decreases, since size(X) = and size(t) > 0. 
Unify_msets(3) a decreases by 1. 

Unify_msets(6) a does not increase, fj decreases, since an equation of size 1 + YliLi size(si) + size(ti) 
is replaced by m smaller equations of size size(si) + size(ti). 

Unify_msets(7) In this case the complexity may remain unchanged at the first step. However, the 
unification algorithm adopts a selection strategy that ensures that after a finite number of steps, 
we either reach a situation such that a decreases or a situation where a is unchanged and j3 
decreases (see for details). 

Unify_msets(8) After one rule application, we are in the case (7) with both the tails of the multisets 
non variables. After a finite number of steps, we enter the situation where a is unchanged and j3 
decreases. 

in-MSet(2) a does not increase. /3 decreases, since a constraint of size 1 + size(r) + size(s) + size(t) is 
non-deterministically replaced by one of smaller size size(r) + size(s) or size(r) + size(t). 

nin-MSet(l), (3) Trivially, a does not increase and /3 decreases. 
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nin-MSet(2) a does not increase. /3 decreases, since a constraint of size 1 + size(r) + size(s) + size(t) is 
non-deterministically replaced by two of smaller size size(r) + size(s) and size(r) + size(t). 

neq-MSet(2), (7) Trivially, a does not increase and f3 decreases. 

neq-MSet(3) a and /3 do not increase. 7 decreases, since size(X) = and size(t) > 0. 

neq-MSet(5) a does not increase. /3 decreases, since a constraint of size 1 + YsiLi s ^ze(si) + size(ti) is 
non-deterministically replaced by one of size size(si) + size(ti). 

neq-MSet(6.2) A unique application of this rule may not decrease the constraint complexity. Thus, we 
enter in some detail. The rule removes {[ f 1 | si {■ 7^ {[£2 | S2 ]} and introduces 

{t2\s2} = {h\N}A (6) 
si ¥= N (7) 

Consider now the two cases: 

1. {t 2 \s 2 } is {ri,...,r n } 

2. {[£2 I S2 J is -{[ n, . . . , r n \ A J, for some variable A distinct from TV that has just been intro- 
duced. 

In the first case the successive execution of Unify_bags replaces equation © by: 

ti =n,N= fri ri-i,r i+ i,...,r n | 

for some i = 1, . . . , n. We have that 

sizeit^) + size(n) < size({t! | si ]}) + size(\t2 | S2 ]})■ 

The equation N = {[ri, . . . , fj+i, . . . , r n J is eliminated by applying the substitution for N. 
N occurs only in the constraint si 7^ N, that becomes si 7^ -Jri, ... , r;+i, . . . ,r n ]}. Again, 
its si«e is strictly smaller than that of the original disequality constraint. Thus, after some further 
steps, a remains unchanged while (3 decreases. Strictly speaking, some other actions may occur 
during that sequence of actions. However, if no other rule (6.2) is executed, then all rules decrease 
the complexity tuples. Conversely, if other rules of this form are executed, then we need to wait 
for all the substitutions of this form to be applied. But they are all independent processes. 
The second case is similar, but in this case a substitution also for A is computed, ensuring that 
a decreases. 

neq-MSet(6.1) After one step, we are in the above situation (6.2). 

□ 

The soundness and completeness result of the global constraint solving procedure for List, MSet, 
and CList follows from the lemmas in the previous section and two lemmas in the Appendix lAl 

Theorem 6.2 (Soundness - Completeness) Let T be one of the theories List, MSet, CList, 
and Set, C be a T '-constraint, and C%, . . . , Ck be the solved form constraints non-deterministically 

returned by SAT T (C) 7 and N % be FV(C % ) \ FV{C). Then A T \= V (c «-> ^i G i), where 
At is the model which corresponds with T. 

Proof. Theorem 16.11 ensures the termination of each non-deterministic branch. At each branch 
point, the number of non-deterministic choices is finite. Thus, C\, . . . ,C\ can be effectively computed. 
Soundness and completeness follow from the results proved individually for the procedures involved: 
Lemma |5.1l for in-T and nin-T; Lemma |5.2I Lemma 15.31 Lemma |5.4I and Lemma |5.5I for neq-MSet, 
neq-List, neq-CList, and neq-Set, respectively; Lemma I A. 61 for is_solvedi-(C); |1 1 j for unification. □ 

Corollary 6.3 (Decidability) Given a T -constraint C , it is decidable whether A \= 3C. where 
A is one of the privileged models CIST , M.SBT , CCIST , SET . 

Proof. From Theorem 16 . 21 we know that C is equi-satisfiable to Ci V • • • V If all the d are false, 
then C is unsatisfiable in CIST (MSET, CLIST, SET). Otherwise, it is satisfiable, since solved form 
constraints are satisfiable (Theorem 14. 12 1 . □ 
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6.1 Complexity Issues 



Complexity of the four unification problems is studied in the decision problem for uni- 

fication is proved to be solvable in linear time for lists, and it is NP-complete for the other 
cases. 

In the case of lists, if the constraint is a conjunction of equality and disequality constraints, 
then the satisfiability problem for a constraint C is solvable in 0{n?) where n — C Ej. 
Instead, the satisfiability problem for conjunctions of membership and disequality constraints 
over lists is NP-hard. As a matter of fact, let us consider the following instance of 3-SAT: 

{Xi VI 2 V ->X 3 ) A (-.Xl VI 2 V X 3 ) A (Xi V ->X 2 V X a ) . 

The above instance of 3-SAT can be re-written as the following constraint problem: 



X x e [0,1] 


A 


Y x G [0,1] 


A 


[Xi,Y{\ ± [0,0] 


A 


[Ai,Fi] + [1,1] 


A 


X 2 G [0, 1] 


A 


Y 2 G [0,1] 


A 


[x 2 ,y 2 ] ± [o,o] 


A 


[X 2 ,Y 2 ] ^[1,1] 


A 


X 3 G [0,1] 


A 


Y 3 e[0,i] 


A 


[x 3 ,y 3 ] ± [Q,o] 


A 


[X 3 ,Y 3 ] ± [1,1] 


A 


~X X ,X 2 ,Y 3 ] ± [0,0,0] 


A 


[Fi,A 2 ,X 3 ] ^ [0,0,0] 


A 



[Xi,Y 2 ,X 3 ] [0,0,0] 

where and 1 can be represented by nil and [nil], respectively, and Y\ takes the place of -<Xi 
and vice versa. It is immediate to prove that any substitution satisfying the constraint problem 
is also a solution for the above formula, provided is interpreted as false and 1 is interpreted 
as true, and vice versa. 



7 Conclusions 

In this paper we have extended the results of JT] studying the constraint solving problem for 
four different theories: the theories of lists, multisets, compact lists, and sets. The analyzed 
constraints are conjunctions of literals based on equality and membership predicate symbols. 
We have identified the privileged models for these theories by showing that they correspond 
with the theories on the class of considered constraints. We have developed a notion of solved 
form (proved to be satisfiable) and presented the rewriting algorithms which allow this notion 
to be used to decide the satisfiability problems in the four contexts. 

In particular, we have shown how constraint solving can be developed parametrically for 
these theories and we have pointed out the differences and similarities between the four kinds 
of aggregates. 

As further work it could be interesting to study the properties of the four aggregates in 
presence of append-like operators (append for lists, U for sets, l±) for multisets). These operators 
can not be defined without using universal quantifiers (or recursion) with the languages analyzed 
in this paper |l()j . 
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A Proofs of Model Properties 



We recall some technical definitions. Given two E-structures A and B, B = (B, (-) s ) is a substructure 
of A = (A, (-) A ) ifBCi and for all x £ B it holds that (x) A = (x) B . Given two E-structures *4 and 
B, a function ft : ^4 — > £? is said to be an homornorphism from A to B if: (i) V/ G J-, ax, . . . , a n £ 
A (fcC/^ai,...,^)) = / s (ft(a 1 ),...,ft(a n ))) and (n) Vp e n 6 A (p^ai, . . . ,a m ) -> 

p 8 (ft(ai), . . . , ft(a m ))) ■ h is said to be an isomorphism if / is bijective and in the property (ii) also the 
*— implication holds. Given two E-structures A and B, an embedding of A in S is an isomorphism from 
A to a substructure of B. 

Lemma A.l (pp) Let A and B be two E- structures and let ft be an embedding of A in B. If ip is an 
open formula of £ — (E, V), then for each valuation a on A it holds that: 

A^cr{ V )^B^h{a{ V )). 

Lemma A. 2 MSET is a model of the theory MSet. 

Proof. For each axioms/axiom schemata (A) of the theory MSet we need to prove that MSET 
models (A) (briefly, MSET \= (A)). We give only the sketch of the proof. 

(K), (W): The fact that MSET is a model of (K) and (W) is a consequence of the interpretation of 
the membership predicate in MSET (cf. point (4) of Def. 14.21 . 

(F™): This axiom holds in MSET, since f(ti, . . . ,t n ) and /(si, . . . , s n ) can be in the same class in 
MSET, only if for all i — 1, . . . , n it holds that ti and Si belong to the same class. 

(F2): It holds trivially, by definition of MSET, since terms beginning with different free symbols belong 
to different classes. 

(F 3 ), (F 3 m ): The fact that MSET \= (F3) and MSET \= (F 3 m ) holds in virtue of the finite size of each 
ground term; it can be formally proved by induction on the complexity of the terms. 

(-E™): MSET is a model of (E™), since for any equational theory E, T{T)/ e b is a model of E \Z'6\ . 

(-E7J 1 ): MSET is a model of (E™), as seen in the previous point, but it is also the initial model, namely 
two terms s and t are in the same class if and only if (-E™) can prove that s — t. This is exactly 
the meaning of the axiom (El™). 

□ 



Lemma A. 3 If M is a model of MSet, then the function h : T(TMSet)/ =E MSct - 
M©) = t M is an embedding of MSET in M. 



M , defined as 



Proof. We will prove the following facts: 

1. The definition of ft(©) does not depend on the choice of the representative of the class; 

2. h is an homornorphism; 

3. h is injective; 

4. if h((t)) e M h(@), then © e MS£T ©. 

These facts imply the thesis. 

1. If ti and ti are two terms such that (ti) — (tip , then by definition (E™) |= ti = ti. Since 
A |= £1 = ti holds in every model A of (E™), then in particular it holds in M, i.e., ti = t^ 4 . 



2. We need to prove that: 

(a) for all / G Tuset and for all terms t\, 



1 1 rMSET ,rr~\ 



. ,t n £ T(TMSet) it holds that 

,©)) = / M (ft(*0....,A(*n)) 



Now, 



Hf 



MSET 



h(f(h,. 

(/(*!,- 



• ,*»)) 



By fact (1) above 

By def. of h 

By def. of structure 



= /-^OOi),...,/),^)) By def. of ft 



22 



(b) for all terms t and s, if © e MS£T ©, then h((t)) £ M h{@). From © e MS£T ©, using 
fact 1. above, we have that there is a term s' in © of the form {[ 1 1 r ]} and that h(@) = s' M . 
Hence, we have that h(@) = \t M \ r M } M ; (W) ensures that h((t)) = t M belongs to it. 

3. We prove, by structural induction on ti, that if h((t£)) = h((t£)), then (t£) = (t£). 

Basis. Let ti be a constant c. Since M is a model of axiom schema (F2), it can not be that 
t'2 = f(si, ■ ■ ■ , s n ), with / different from c. Hence, it must be that ti = c. 

Step. Let t\ be f(si, . . . , s„), with / ^ {[ ■ | ■ }. It cannot be f2 = g(ri, ■ ■ ■ , r m ), with g ^ /, 
since is a model of (-Fb). So, it must be £2 = f(ri, ■ ■ ■ ,r„), and, by (i*i), sf 4 = rf 4 , for all 
i < n. Using the inductive hypothesis we have (t£) — (t£). 

Let ti be -J si, . . . , s n \ r ]f, with r not of the form {[ ri | r2 ]}. Since it cannot be that ti is 
f{vi, . . . ,v n ) (from the previous case applied to ti), then it must be ti is \u\, . . . ,u m \ v\, for 
some v not of the form {[«i | vi ]f. Let us assume, by contradiction, that (TP ) 7^ and t^ 4 = 
while the thesis holds for all terms of lower complexity. From tf 4 = t^ 4 we obtain that the two 
terms have in M. the same elements. Since M is a model of (W), the elements of if 4 are exactly 
s^ 4 , . . . , s^ 4 and the elements of t^ 4 are exactly it^ 4 , . . . , . So, by inductive hypothesis, there 
is a bijection b : {1, . . . , n} — > {1, . . . , m} such that (s7) = (. u b(i) ) ■ This means that m = n 
and that there is a term i 2 in (ti) of the form -Jsi, . . . , s m \ «]}•. Applying n times (E™), in all 
possible ways, we obtain that = v M , hence by inductive hypothesis © = ©. From this 
fact, we conclude that (t£) = (t£) = ( {[si, . . . , s n \ r} ) = (t£), which is in contradiction with our 
assumption. 

4. If h((t)) £ M h(@), then t M e M s M and hence (K) implies that s must be a term of the form 
•fii I £2]}- By induction on s using (W), we can prove that in particular s must be a term of the 
form {[ti, . . . . . . ,t„ I rj, with ^ = = /i(©). We have already proved that ft is injective, 

hence it must be t\ G ©, and from this we obtain © £ MS£r ©. 

□ 



Lemma A. 4 If C is a constraint in pre-solved form and acyclic, then ac is stabilizing. 

Proof. We prove that a* c = cr^~ , where q is the number of variables which occur in the right-hand 
side of membership atoms. 

The acyclicity condition ensures that there are no loops in the graph Q^,. Consider now the substi- 
tution oc and let B be the set of the nodes of the graph that belong to its domain (we identify variables 
and corresponding nodes) . Each application of ac on the terms of its codomain can be intuitively mim- 
icked by a game that updates the value of B with the nodes corresponding to the variables occurring in 
the terms ac(B). These nodes can be computed by collecting the nodes that can be reached by crossing 
an edge from a node of B (new variables Fi,Mi are all different, and they are not in the domain of 
ac, so we can forget them). The process will terminate when either B is empty or it contains only 
variables that are not in the domain of ac- Since Q c is acyclic, this process must terminate, and since 
the longest path in the graph is shorter than q, it is plain o sec that q — 1 is an upper bound to the 
number of iterations. □ 



Lemma A. 5 Let T be one of the theories List, MSet, CList, At the model (structure) which corresponds 
with T, and Ej the associated equational theory. Let t, t' be two terms and C a solved form constraint 
over the language Cj, such that FV(t) U FV(t') C FV(C). If At ^ V(i = t'), then Et ^ V(crJ(t) = 
'MO)- 

Proof. Let R — {X\, . . . , X n } be the set of variables over which ac is defined. By induction on the 
sum of the complexities of t and t' we prove the following property that implies the thesis of the lemma. 

If there exists 8 such that At \= 9(t) 7^ 9{t'), then there exists 9' such that At \= 9'(a c (t)) 7^ 
6'(a' c (t')). 

Let us consider the valuation 9" defined as: 

(i) \ 0(Xi) iiY = M Xi 
Observe that 8" is not defined over the variables Fx t , • • • , Fx n ■ 
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Let m — max{size(9" (a c (t))), size(9" (a c (t')))} + 1. We can now define the valuation 9' in the 
following way: 

, f [nil]™" ({[nil]}" 1 ", [nil]" 1 ") if Y = F Xi 

K ' \ 6"(Y) otherwise 

If t = Y\ and t' = Y 2 are variables then: 

• if a c is not defined neither on Yi nor on Y 2 , then 0'(<7c( y i)) = 0'(Yi) = 0(Yi) 0(Y 2 ) = 9'{Y 2 ) = 
*VcC a )); 

• if ac is defined on Yi and not on Y2 (or vicevcrsa), then size{9' (a c {Yi))) > size{6' {Fy x )) > 
size(9'(Y 2 )); 

• if ac is defined both on Yi and on Y 2 , then: 

Lis£ and CList: 6'{a c (Y{)) and 0'(<7c(Y2)) differ on their first element. 
MSet: flVM*!)) and ^VM^)) differ on their elements 9'(F Yl ) and 0'(Fy 2 ). 
If t = Y is a variable and t' is /(i'i, . . . , t^), also when / is of the form [• | •],[■ | ■],{[■ | • }■, then: 

• if ac is not defined on FV(t') U Y, then we have immediately the thesis since 6'{a c (Y)) = 6(Y) 
and 9'{ah(t')) = 0{t'); 

• if ac is defined on Y, but not on FV(t'), then we have the thesis since size(9' (a c (Y))) > 
size(9(t')); 

• if ac is defined on at least one variable of t' and not on Y, then as in the previous case we have 
the thesis; 

• if ac is defined on Y and on at least one of the variables of t' , then: 

List and CList: it can never be the case that the first element of 9'(a c (Y)) — i.e. O'(Fy) — is 
equal to the first element of 9'{a c {t'))\ this follows from the conditions we have imposed on 
all the 9'(F Xi ). 

MSet: two cases are possible: 0'(i<V) is not an element of 0'(a c (t')), from which we have the 
thesis. 

9'(Fy) is an element of 9'(a c {t')): this means that tail (t') = Y, hence the thesis follows. 
If t is f(ti, . . . ,th) and t' — g(t[, . . . ,t' k ), with / different from g, then it is trivial. 

If t is f(ti, . . . ,th) and t' is f{t'i, . . . ,t' h ), with / different from [■ | •],[• | ■],{[■ | ■ ]}, then by inductive 
hypothesis we have the thesis. 

If t is [ti 1 1 2 ] and t' is [ti 1 1' 2 ], then from CIST \= 0(t) =£ 0(t') we have that it must be CIST \= 6(ti) =£ 
0(t[) or CXST \= 0(t 2 ) 7^ 9(t' 2 ), hence, in both cases, we obtain the thesis by inductive hypothesis. 
If t is [ii 1 1 2 ] and t' is [*i 1 1' 2 ], then from CC1ST \= 6(t) 6(t') we have that it must be CC1ST \= 
0(ti) + 0(ti) or CCTST \= 8(t 2 ) ± Q(t' 2 ) A 8(t 2 ) ± \e(t\) \ 9(t' 2 ) ] A 9{t' 2 ) ± \9{tx) \ 9(t 2 )j, hence: 

• in the first case we obtain the thesis by inductive hypothesis on t\ and t[. 

• in the second case by inductive hypothesis on t 2 and t' 2 , on t 2 and \t'\ \t' 2 \, on t 2 and \t\ \t 2 \, 
we obtain that CCTST \= 9' (a* c (t 2 )) # e'(<7^(t' 2 )) and C£J«ST |= 8'(a c (t 2 )) »'(ffc(I*i I *2 ])) 
and CCTST \= 6'(a c (t' 2 )) / 0'(ffc([*i I <2 ])), which implies our thesis. 

If t is flti \t 2 } and t' is flti \t' 2 }, then: 

• if tail (*2) and tail(i 2 ) are the same variable, the we obtain the thesis by inductive hypothesis on 
untail({ii \t 2 }) and untail({ti \ t' 2 }); 

• if tail (^2 ) = Y and tail (t 2 ) — Y' are n °f f ne same variable and ac is not defined on Y or on Y', 
then 9'{F Y ) or 9'(F Y > is not an element of both 8'(a c (t j) and 0'(<7o(*')); 

• if tai I (£2 ) = Y and tai I (£ 2 ) — Y' are n °t the same variable and ac is not defined on Y and on Y', 
then we can restrict ourselves to the case in which there is an element s of 9(t) which is not an 
element of 9(t') (in the general case we would have to consider that there exists s such that there 
are m occurrences of s in 8{t) and n occurrences in 9(t') with m^ri): 

— if s is an element of 0(Y), then, from the fact that ac is not defined on Y, we have the 
thesis, since it cannot be the case that one of the elements of untail(t') becomes equal to 
0(s) (the new elements have a size which is greater); 

— if s is an element of untail(t), then we have t = -Jui, . . . ,«h, . . . ,u m \ Y} and s = 9(uh), 
hence, from the inductive hypothesis, we have that 0' (a c (uh)) is still different from all 
elements of 0'(a-£.(untail(i'))), and it is immediate that it is different from all the elements 
of 0'(Y'), hence 9'(a c {u h )) is an element of 9'(<r c (t)) which is not in 9\a c {t')). 
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□ 



Lemma A. 6 Let T be one of the theories List, CList, MSet and Set, and C a constraint in pre-solved 
form over the language off. If is_solvedi-(C) returns false, then C is not satisfiable in the model At 
which corresponds with T. 

Proof. If is_solvedx(C) returns false because Qq has a cycle then the result is trivial, since all 
aggregates in A are well-founded. Otherwise: 

For List, MSet, CList: From Lemma 1X31 we know that T |= V(crJ(t) = cr£(t')) implies T (= V(t = t'), 
hence, since t £ X and t' X are in C, C is not satisfiable in the model A which corresponds 
with T. 

For Set: Let a* c = [Xi/{Fi, P \,. ..,p^\ Mi}, . . . , X q / {F q ,p\, . . . ,p k q q \ M q }], we have that if SET |= 
C7, then SET \= (Ca^.)y' , where 7' is defined as follows 

C y(Xi) HY = Mi 
j'(Y) = l p\ MY = Fi 

y ■y(Y) otherwise 

Hence, if is_solvedset returns false this means that Ca*c is n °t satisfiable in SET, which implies 
that C is not satisfiable in SET. 

□ 



B Termination Proofs (Theorem 16.11) 

Termination of SAT \ ist 

Using the same measure as for SATmSc* termination follows. □ 

Termination of SAT^^ 

Finding a global decreasing measure implies that this measure is decreased by each rule of each algorithm 
involved. The measure developed in II 1| for proving termination of Unify _clists is rather complex. This is 
due to the fact that new variables are (apparently) freely introduced in the constraint by this procedure. 
Instead of extending such complex measure to the general case, we use here a different approach for 
proving termination. The proof is based: 

• on the fact that each single rewriting procedure terminates (for Unify_clists it follows from 
for the other three procedures the result is trivial) and 

• on the fact that it is possible to find a bound on the number of possible repeat cycles. 
The remaining part of the proof is devoted to find this bound. First of all observe that: 

• After the execution of in-CList there are only membership atoms of the form t € X with X ^ 
FV(t). New equations can be introduced. 

• After the execution of in-CList there are only not-membership literals of the form t ^ X with X ^ 
FV(t). New disequality constraints can be introduced. Membership atoms are not introduced. 

• After the execution of neq-CList there are only disequality constraints of the form X 7^ t with 
X ^ FV(t). New equations can be introduced. £ and ^-constraints are not introduced. 

• Unify_clists eliminates all equality constraints producing a substitution. This substitution, when 
applied to membership, not-membership, and disequality literals in pre-solved form can force a 
new execution of the procedures in-CList, nin-CList, and neq-CList. However, new executions of 
Unify_clists are possible only if in-CList and neq-CList introduce new equations. In the following 
we will find a bound on the number of possible new equations inserted. 

Let us analyze membership constraints. Each membership atom of the form t £ [ s' \ s" ] is rewritten 
to false or to t = s' V t G s" . This means that in each non-deterministic branch of the rewriting 
process at most one equation is introduced for each initial membership atom. Thus, if k is the number 
of membership atoms in C at the beginning of the computation, at most k equality atoms (that can fire 
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Unify _clists) can be introduced. If we prove termination with k = then full termination easily follows, 
since it is the same as considering k successive (terminating) executions. 

Let us consider the procedure neq-CList. Action (7.2) can replace a disequality constraint of the 
form: X ^ [ti, . . . , t n \ X ] with the following equations, identifying a substitution: 

X = nil (8) 
X = [ iVi | jV 2 ] with JVi , N 2 new variables. (9) 

Let us analyze the various cases in which substitutions of this form have some effects on the con- 
straint. 

• there is t 6 X in C. This is not possible by hypothesis, since k = 0. 

• t ^ X or X / ( and we know that X does not occur in t. This implies a finite number of 
executions of rules of nin-CList or neq-CList. Since X is not in t and the variables Ni and N2 are 
newly introduced, it is impossible to generate a situation firing rule (7.2). 

• Assume there are more than one equation introduced for the same variable X. 

— If they are all of the form ®, then Unify_clists will apply the substitution and remove the 
redundant equations. 

— If they are all of the form ©, then Unify_clists will perform a unification process between 
these new equations. The particular form of the equations allows us to see that the effect 
is to introduce new equations of the form Ai = N[ between all the new variables used as 
elements and equations of the form .A2 = N 2 or N 2 = [ N[ | N 2 J between the new variables 
used as rests. The situation is similar to that in which a unique substitution is computed. 

— If there are both equations of the form @ and of the form (JHJ, then a failing (thus, termi- 
nating) situation will be detected by Unify_clists. □ 



Termination of SAT 5ef 

Finding a global decreasing measure implies that this measure is decreased by each rule of each algorithm 
involved. This is rather complex since it must subsume the measure developed in for proving 
termination of Unify_sets. Thus, instead of extending such complex measure, we use here a different 
approach for proving termination. The proof is based: 

• on the fact that each single rewriting procedure terminates (for Unify_sets it follows from for 
the other three procedures the result is trivial) and 

• on the fact that it is possible to control the number of new calls to unification. 

In order to simplify the proof we assume a strategy for handling the non-determinism. The strategy 
will be pointed out during the discussion. 

As observed in the proof of SATcList, if k is the number of membership atoms in C at the beginning 
of the computation, at most k equality atoms (that can fire Unify_sets) can be introduced. For this 
reason, we can safely forget this kind of constraints from the whole reasoning. 

The only problem for termination is given by rules (6a) and (6b) of neq-CList. As a strategy, we 
can unfold the application of this rules (actually, adding a bit of determinism to the whole procedure). 
This means that rule (6a) (for (66) the situation is symmetrical) is as follows: assume that {t\ | si} is 
{vi, . . . , v m I h} and {t 2 | s 2 } is {wi, . . . , w n | k}, with h, k variables or terms of the form /(. . .),<?(. . .), 
/ and g different from { • | ■ }. The global effect of the subcomputation is that of returning a constraint 
of the form (1 < i < m): 

N = Vi,Vi / wi, . . . ,Vi w n ,Vi <£ k (10) 

or one constraint of the form 

h = {N\N'},N ^ Wl ,...,N =£w n ,N ik (11) 

if h is a variable. Notice that the application of this substitution is a sort of application of rule (4) of 
the procedure in-Set. 

In the following discussion let us assume that termination by failure do not occur (but, in this case, 
termination follows trivially). Suppose to have already executed the first cycle of the repeat loop. Local 
termination ensures that this can be done in finite time. In the constraint there are no equations, while 
there can be negated membership and disequality literals not necessarily in pre-solved form. 
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Let us execute procedure nin-Set. No equations are introduced. In the constraint there are not- 
membership literals in pre-solved form and disequality constraints not necessarily in pre-solved form. 

Let us execute the procedure neq-Set. We adopt a weak strategy to face the non-determinism: 
delay the constraints that fire action (6) as much as possible. This means that after a finite time the 
constraint is composed by a number of constraints of the form X 7^ t or t £ X with X £ FV(i) plus a 
(possibly empty) constraint C of constraints all firing action (6) of neq-Set. Pick one constraint c from 
C and consider the possible non-deterministic executions. 

• Assume that the situation of case I I U above does not occur in a non-deterministic branch. Then 
(see case ilOI I the constraint c is replaced in C by a number of constraints Vi 7^ Wj of fewer size. 
If they do not fire action (6) they can be directly processed to reach a pre-solved form. Otherwise, 
they are inserted in C, but since they are of fewer size, if the situation of case (111! never occur, 
this again implies termination. 

• Assume now that the situation of case 1 1 1 li occurs when processing the constraint c. Constraints 

N =fc wi, ...,N=£ w n ,N £ k 

are introduced. Constraints in pre-solved form of the form above, with N a variable introduced as 
element of a set by action (6), are said passive constraints. Variables N of this form are inserted 
in the constraint only by this step. We will see that passive disequality constraints remain in 
pre-solved form forever while negated membership passive literals have a controlled growth. 
Assume to apply immediately the substitution h/{N | N'}. Its effect can be the following, ac- 
cording to the position of h in a constraint: 

— X t[h] or t[h] ^ X: the terms gets changed but the constraints remain in pre-solved form. 

— s[h] 7^ t or s 7^ t[h] or s[h] 7^ t[h]: the terms change but the constraints remain in C to be 
processed later. 

— t £ his transformed to t £ {N | N'}. One step of nin-Set is applied to obtain: t 7^ NAt £ N' . 
The first constraint is immediately transformed into N 7^ t (a passive constraint) while the 
second is in pre-solved form. Observe that if t £ h is passive (i.e., t is a variable of type N), 
then only passive constraints are introduced. 

— h 7^ t is transformed to {N | N'} 7^ t. Observe that h 7^ t can not be a passive constraint 
since h is a 'rest' variable while the variables of passive constraints are 'element' variables, 
like N here. A constraint in pre-solved form is no longer in pre-solved form. Let us apply the 
rewriting rules to it. It is immediately rewritten to true (e.g., when t is /(• • •), / 7^ { ■ | ■ }) 
or it becomes in pre-solved form (when t is a variable) or action (6) can be applied. 
Both in cases HUH and in the case 11 1 U we introduce a number of passive constraints and, 
in the last case, a substitution N'/{Ni \N[} is applied. Notice that the global effect on 
the system it the fact that in the other constraints the original variable h is replaced by 
{N, Ni I N[}. This means that this situation can be performed at most once per each occur- 
rence of h. And, the reasoning starting from substitutions of the form {N, Ni, . . . , Ni N^} 
is the same as that done here for N'/{Ni lA^}. At the end of the process, the number 
of constraints in C is decreased and we have only introduced pre-solved form and passive 
constraints. □ 



27 



